Re: [pve-devel] [PATCH pve-access-control] fix #1500: permission path syntax check for access control

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Lorenz Stechauner <l.stechauner@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-access-control] fix #1500: permission path syntax check for access control
Date: Fri, 16 Apr 2021 15:09:40 +0200	[thread overview]
Message-ID: <bf9d0c12-c54f-3285-e567-c3fce03132f7@proxmox.com> (raw)
In-Reply-To: <20210416123438.93188-1-l.stechauner@proxmox.com>

On 16.04.21 14:34, Lorenz Stechauner wrote:
> Syntax for permission paths is now checked on API calls for
> creation or update on permissions.
> 

great first patch, it seems functional FWICT, but I'd still change the way
we build the regex, see below.

> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
>  PVE/API2/ACL.pm      |  4 ++++
>  PVE/AccessControl.pm | 31 +++++++++++++++++++++++++++++++
>  2 files changed, 35 insertions(+)
> 
> diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
> index c340267..857c672 100644
> --- a/PVE/API2/ACL.pm
> +++ b/PVE/API2/ACL.pm
> @@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
>  	my $path = PVE::AccessControl::normalize_path($param->{path});
>  	raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
>  
> +	if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
> +	    raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
> +	}
> +
>  	PVE::AccessControl::lock_user_config(
>  	    sub {
>  
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 8b5be1e..5ac2df2 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -60,6 +60,24 @@ cfs_register_file('priv/tfa.cfg',
>  		  \&parse_priv_tfa_config,
>  		  \&write_priv_tfa_config);
>  
> +sub get_permission_paths {
> +	return (
> +	'/',
> +	'/access',
> +	'/access/groups',
> +	'/access/realm',
> +	'/nodes',
> +	'/nodes/{node}',
> +	'/pool',
> +	'/pool/{poolid}',
> +	'/sdn',
> +	'/storage',
> +	'/storage/{storage}',
> +	'/vms',
> +	'/vms/{vmid}',
> +    )
> +}
> +
>  sub verify_username {
>      PVE::Auth::Plugin::verify_username(@_);
>  }
> @@ -929,6 +947,19 @@ sub normalize_path {
>      return $path;
>  }
>  
> +sub check_path {
> +    my $path = normalize_path(shift);
> +    my @regex_str_arr = ();
> +    foreach (get_permission_paths()) {
> +	    my $regex_str = $_;

nit: indentation error above

> +	$regex_str =~ s/\{vmid\}/\\d{3,}/;
> +	$regex_str =~ s/\{[a-z]+\}/[[:alnum:]\\.\\-\\_]+/;
> +	push(@regex_str_arr, $regex_str);
> +    }
> +    my $regex_str = '^(' . join('|', @regex_str_arr) . ')$';

why don't we return already a regex array by `get_permission_paths`, which may then be
named `get_permission_path_regex` ?

Else this seems to be a bit much of manual translations and also an unnecessary extra
overhead, I'd like to avoid custom template interpretations at runtime.


get_permission_paths (or whatever it will be named then) could look like:

sub ... {
    my $paths = (
        qr!/!,
        qr!/access!,
        # ...
        qr!/vms/\d{3,}!
    );

    return join("|", @paths);
}

or as above then has not really much extra value, especially as it's only used in one place,
just directly define the actual regex

sub check_path {
    my ($path) = @_;

    my $re = qr!^(
        /
        |/access
        # ...
        |/vms/\d{3,}
    )$!;

    return $path =~ $re;
}

would IMO be even nicer

> +    return $path =~ m@$regex_str@;
> +}
> +
>  PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
>  sub verify_groupname {
>      my ($groupname, $noerr) = @_;
>

     prev parent reply	other threads:[~2021-04-16 13:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-16 12:34 Lorenz Stechauner
2021-04-16 13:09 ` Thomas Lamprecht [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bf9d0c12-c54f-3285-e567-c3fce03132f7@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=l.stechauner@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal